By David Levine
In the moderated Peer2Peer session “Securing IoT: Tech’s latest Wild Frontier” we had a full room and great representation providing different viewpoints ranging from those involved in manufacturing, setting standards, government and those charged with managing and securing IoT. Most importantly we had some great dialog and certainly could have spent hours -- make that many, many, hours -- digging deeper into each of the subjects we touched on.
To kick things off we started by defining IoT, then identified what some of the risks are - both potential and realized - discussed the history of how we got to this point with the technology and also where the ownership of IoT security belongs. While we didn’t solve the weighty issues and didn’t always agree on approaches, I’m hoping everyone left the session contemplating the full array of potential risks and some ideas on go-forward strategies.
A Tiered Approach: One of the key discussion points centered on the fact that a one-size-fits-all approach to securing IOT wasn’t going to work. There is too much disparity in the cost, complexity and risk of all things in this space. For example, the risk mitigation and support structure around an IP-enabled light bulb that costs a nominal amount and has a limited life expectancy is going to be different than for a car or heart pump. At the end of the day they both have to be secured to an extent relative to the risk they pose, but the standards applied would not likely not be the same. To that end we discussed the potential of having a tiered or class approach to standards\controls. “Class A” or “Tier One Devices” would require the most stringent and comprehensive security controls and functionality whereas the bottom tier might only need to meet the most basic standards. Along these lines we also contemplated how long a company should support an item, requirements to facilitate updates and patches, etc. Again this came down to cost… a nominal low-risk device? Perhaps not. An expensive life-impacting device? By all means.
Data Gathering: Another interesting aspect of the conversation was around data gathering and governance. Devices are collecting all kinds of data all the time, sometimes without the consumer’s direct knowledge. How should that be managed? We discussed various strategies around transparency, the ability to Opt-in or Out, how to address the selling of data, and securing the data that is collected among other things.
Ownership\Responsibility: The short answer on this one was that it rests with the entire chain. From the engineers and developers to those implementing, using and maintaining devices, we all have a key role to play. Some of the issues we see today rest with the device design itself while in other cases the device may have perfectly acceptable security options however those options go unused. Lastly, even if you correctly design and implement security measures, if they aren’t maintained or can’t be updated you still could find yourself with a problem.
Bottom Line? Saddle up and get comfortable for the long haul! There is a lot to be done but the good news is we are all talking about it and there are some great ideas roaming the frontier.